SSL server certificate algorithms
During the configuration process (following an installation or upgrade), you can generate and install a self-signed certificate when prompted to configure SSL certificates. To do so, use the Generate and install a new test certificate (self-signed) option; you will then have to select an algorithm to encrypt the SSL certificate.
Supported algorithms for this option are:
- SHA-1 with RSA encryptions
- SHA-256 with RSA encryptions
SHA-1 has known cryptographic weaknesses, and is to be phased out by the National Institute of Standards and Technology. Although these weaknesses exist and reduce the security, at the moment there is no known practical way to break a SHA-1 encryption.
Refer to http://csrc.nist.gov/publications/nistpubs/800-107/NIST-SP-800-107.pdf for detailed information regarding the status of SHA-1.
These applications may be checking the validity of the server certificate:
- Digipass authentication clients:
- Digipass Authentication for Windows Logon
- Digipass Authentication for OWA Basic
- Digipass Authentication for OWA Forms
- Digipass Authentication for Microsoft ADFS
- Digipass Authentication for Citrix StoreFront
- Digipass Authentication for Remote Desktop Web Access
- Digipass Authentication for IIS Basic
- Wireless RADIUS supplicants
- Custom web applications created via the software development kit
If the operating system on the client machine does not support the encryption algorithm used for the server certificate, it will be unable to complete a certificate validation.